In recent years, many organizations ranging from global business enterprises to governmental agencies have suffered from data breaches, which often result in the loss and/or disclosure of sensitive, confidential data such as financial information and personal information. Such confidential information could, if it fell into the wrong hands, have significant repercussions for the organization and people associated with the organization.
One cause of data breaches is due to insider threats, which are malicious threats to an organization that come from people within or directly associated with the organization (e.g., employees, former employees, contractors, business associates) who have inside information concerning the organization's security practices, data, and/or computer systems. Another cause of data breaches are “outside” malicious attackers that are not explicitly a part of the organization, but attempt to exploit or take over control of systems of the organization. Outside attackers can use a variety techniques to attack the organization, including using direct attacks, computer viruses, social engineering techniques, phishing, etc.
Data breaches can be persistent over a period of time, or occur only a certain point in time. For example, an insider may perform a data breach by acquiring small amounts of sensitive information over a long period of time, such as days, weeks, months, or even years. Alternatively, data breaches may occur over a comparatively brief period of time, such as when an attacker quickly acquires (e.g., downloads) a large amount of information from the organization, which can range from fractions of a second to minutes or longer.
Recently, many incidents of massive data breaches have occurred due to insider threats. One well-known example is the data breach initiated by Edward Snowden, who was a United States (U.S.) National Security Agency (NSA) Contractor and System Administrator that acquired approximately four terabytes (TB) of data from the NSA using four laptop computers. According to the NSA, this data allegedly included approximately 1.7 million classified documents, and was the most damaging (known) data breach to ever impact the U.S. Intelligence Community.
Another example of a massive data breach by an insider was from Chelsea Manning (born Bradley Manning), who worked as an intelligence analyst for the U.S. Army and acquired and disclosed approximately three-quarters of a million classified or unclassified but sensitive military and diplomatic documents via the WikiLeaks website.
One more example is the Anat Kamm-Uri Blau affair from 2007. In this breach, former Israeli soldier Anat Kamm, while working as an assistant in the Central Command bureau of the Israel Defense Forces (IDF), secretly copied thousands of classified and/or confidential documents and leaked this information to the Israeli Haaretz journalist Uri Blau.
Yet another prominent data breach that appears to result from an insider threat is known as the Sony data breach, which was discovered in November 2014 but likely had been ongoing for over a year. In this attack, the attackers claimed to have taken over 100 terabytes of data from Sony Pictures Entertainment. Sony later acknowledged that the hackers not only erased data from its systems, but also stole and subsequently released to the public pre-release movies, private communications, and sensitive documents such as salary schedules and social security numbers.
Organizations have attempted to prevent these types of data breaches by implementing file access controls to enforce permissions for accessing files. Typically, such file access control enforcement schemes involve configuring rules that limit which files (or groups of files, storage locations, etc.) may or may not be accessed by particular users (or user groups, etc.).
However, this approach of implementing and enforcing permissions for granting access to files has effectively been a failure. First, it is obvious that many large-scale data breaches continue to occur despite the existence and use of file access control systems. Moreover, as the amount of users and the amount of files and data in organizations continue to grow, it becomes exponentially more difficult for organizations to manage a “matrix” of user-to-file access permission configuration data. Further, implementing such file access controls can make collaboration between users within the organization very difficult, as the permissions for files may need to be modified very frequently to allow for the different types of permissible accesses by different users at different times.
Accordingly, there is a significant and growing need for techniques and systems to protect against large-scale data breaches without the substantial drawbacks of conventional approaches, such as those involving the use of file access controls.